← Concepts
Security OperationsSY0-701 · Task 4.8

Digital forensics — SY0-701

Digital forensics for CompTIA Security+ SY0-701: process phases, volatile vs. non-volatile data, chain of custody, and exam traps explained.

WHAT IT IS

Digital forensics is the identification, collection, examination, and analysis of data while preserving information integrity and maintaining a strict chain of custody. (Source: NIST SP 800-86 via NIST CSRC Glossary.)

A parallel definition from CNSSI 4009-2015 / DoDD 5505.13E frames it as the application of computer science and investigative procedures for examining digital evidence while maintaining proper search authority, chain of custody, mathematical validation, validated tools, repeatability, and documented reporting.

Both definitions share three non-negotiable pillars: scientific rigor, integrity preservation, and chain of custody.

Mental model

Think of a digital forensics investigation as a one-way evidence funnel: you can only move forward through the phases without going back to re-collect without risking taint. Every decision — which data to capture first, which tools to use, how to document — is made with one question in mind: would this hold up if examined by a third party?

The four phases — identification, collection, examination, and analysis — come directly from NIST SP 800-86 and map to the NIST CSRC Glossary definition above.

When to use it

A key judgment the exam tests is knowing when digital forensics applies versus when a different security operation takes over. The table below shows the distinction between digital forensics and two closely related activities.

DimensionDigital forensicsIncident responseThreat hunting
Primary goalPreserve and examine evidence for legal or investigative proceedingsContain and eradicate an active threatProactively search for hidden threats
TriggerAfter an event is detected or suspectedDuring an active or recently confirmed incidentOngoing, before confirmation of an incident
Key constraintEvidence integrity and chain of custodySpeed of containmentHypothesis-driven discovery
OutputDocumented findings suitable for reviewRestored operationsIdentified indicators of compromise

Digital forensics can run in parallel with incident response, but its integrity requirements mean forensic collection must not be sacrificed for the sake of speed.

COMMON MISCONCEPTION

"Powering down a system is a safe first step when seizing a device."

This is one of the most consequential mistakes a responder can make. Volatile data — defined by NIST SP 800-86 as "data on a live system that is lost after a computer is powered down" — includes active network connections, running processes, and RAM contents. Once the machine is powered off, that data is permanently gone.

The correct approach is to collect volatile data first, before collecting non-volatile data. Non-volatile data is defined by NIST SP 800-86 as "data that persists even after a computer is powered down" and can be acquired after the volatile data is secured.

A second common trap: believing that copying files with an operating system's built-in copy command produces a usable forensic copy. A forensic copy is defined by NIST SP 800-101 Rev. 1 and NIST SP 800-72 as "an accurate bit-for-bit reproduction of the information contained on an electronic device or associated media, whose validity and integrity has been verified using an accepted algorithm." A standard OS copy does not capture free space, slack space, or produce a verifiable hash — making it forensically invalid.

How it shows up on the exam

The cognitive target for digital forensics questions is application — scenarios ask candidates to select the correct action or explain why a specific procedure matters.

Common question frames include:

  • Ordering tasks: candidates are asked to arrange steps in the correct sequence; the volatile-before-non-volatile distinction is a frequent pivot point.
  • Tool selection: questions distinguish between a write-blocker (a device that permits forensic examination of media while preventing data modifications on the target media, per NIST SP 800-101 Rev. 1 and NIST SP 800-72) and other acquisition methods.
  • Chain of custody: chain of custody is defined by NIST SP 800-72 and NIST SP 800-101 Rev. 1 as a process that documents the movement of evidence throughout its collection, safeguarding, and analysis phases — including who handled it, when, and why. Questions test whether candidates recognize that a gap in that documentation can undermine the evidentiary value of otherwise intact data.
  • Disk imaging: disk imaging produces "a bit-for-bit copy of the original media, including free space and slack space" (NIST SP 800-86). Questions may contrast disk imaging with a file-level copy and ask which is appropriate for forensic purposes.

Signal phrases to watch for: chain of custody, write-blocker, forensic copy, volatile, bit-for-bit, integrity, hash value.

Related concepts

Sources

Every claim on this page traces to the public exam blueprint and official documentation:

CutScore is an independent study tool and is not affiliated with, authorized by, endorsed by, or sponsored by Amazon Web Services. “AWS” and “AWS Certified AI Practitioner” are trademarks of Amazon.com, Inc. or its affiliates. All content is independently authored from the public exam blueprint and official documentation — no real exam content is used.

The exam-readiness instrument. Know if you’re ready before you book.

Product
PricingConceptsBlog
Legal
PrivacyTermsRefund policy
Company
Contact
© 2026 The Plain Works Co.AWS and AWS Certified AI Practitioner are trademarks of Amazon.com, Inc. or its affiliates. CutScore is independent and not affiliated with, endorsed by, or sponsored by Amazon Web Services.